2 Answers
2

In step 2, the adversary outputs two messages. One of these will be selected at random for encryption. You can think of the adversary sending these messages to a "challenger" that also has oracle access (or is the oracle itself). It doesn't really matter who is running the challenge since the challenger doesn't have any "intelligence." All the challenger does is flip a coin to choose a message and remember which message she chose, so she can determine if the adversary guesses correctly or not.

If you think of the adversary as an interactive Turing machine, then the values are put on its output tape (likely why it was phrased that way in the text).

The random bit is just a formalization of flipping an unbias coin. The challenger uses it to pick one of the two messages. If the ciphertext of a given plaintext is indistinguishable from any other ciphertext, then the adversary cannot know which one was chosen any better than predicating the value of the coin flip: which is one half. Therefore, if the adversary can demonstrate the ability to predict better than one half which message was encrypted, it must be the case that the encryption function causes the ciphertexts to leak information about the plaintexts (either by looking at the ciphertext or by submitting related ciphertexts for decryption). In this case, the system is not CCA-secure.

The idea of IND-CCA2 (indistinguishable under an adaptive chosen-ciphertext attack) is that the attacker has no chance to distinguish the ciphertexts of two given plaintext messages, even if it can feed the decryption machine other ciphertexts for decryption.

In the second part of the experiment, the adversary has to chose two messages for the challenge (of equal length, since it is often easy to distinguish different-length messages by their different-length ciphertexts).

The challenger then randomly choses one of these messages (this is the random bit), encrypts it, and gives the result of this encryption as the challenge ciphertext back to the adversary.

The task of the adversary now is to guess which of the two plaintexts was chosen by the challenger. She wins the game if she guesses right.

(Both adversary and challenger are usually not actual persons, but can be thought as randomized algorithms, just like $\Gen$, $\Enc$ and $\Dec$.)

As guessing right occurs with probability $\frac12$ for a random guess, as cryptanalysts we actually want an adversary which will guess right with some probability strictly greater than that, and which doesn't need too long. As designers/users of an algorithm/protocol, we want that no adversary with such a capability exists (or at least, that it is not known to anyone).

All this (other than the first paragraph) actually applies to all these "IND-*" properties - the difference is just what means such an attacker can use to do this.

In the IND-CCA2 case, the attacker has an decryption oracle available even after seeing the challenge ciphertext (but is not allowed to use it with the challenge ciphertext, to avoid a trivial win).

With IND-CCA, after seeing the challenge ciphertext, no more decryption oracles are allowed to the adversary (i.e. she can't adapt to the challenge). (It might be that your book doesn't distinguish these two cases.)

For a ciphertext-only attack, the adversary has neither encryption nor decryption oracle.